Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
From: Simon Valiquette <v.simon@ieee.org>
Date: Wed, 14 May 2008 21:49:17 -0400
Message-id: <[🔎] 482B969D.5090701@ieee.org>
In-reply-to: <[🔎] 20080515005033.GB14824@pond>
References: <87od7az9v4.fsf@mid.deneb.enyo.de> <[🔎] 482B7759.5000201@ieee.org> <[🔎] 20080515005033.GB14824@pond>

Micah Anderson un jour écrivit:

* Simon Valiquette <v.simon@ieee.org> [2008-05-14 16:36-0400]:
In other words, if a vulnerable key have been involved, and if someonewas able to intercept and save the encrypted data, he/she can nowdecipher It, whether It is passwords, ssh sessions, secure pop/smtpsessions, ssl tunnels or even database transactions. So you need tochange every passwords at risk (bothersome, but relatively easy), butalso consider that secure/confidential information, including credit cardtransactions or whatever, have been disclosed, which is a much biggerproblem.
SSH traffic cannot be compromised that way. Basically the encryption key
used for the SSH session is *not* the host key nor the client key
itself, but it is created on session initiation using a Diffie-Helman
key exchange


  I know, and I though It was obvious in my email that I was aware of that.

The problem is that, AFAIK, the encryption key generated for thesession is also build by openssl. If the bug we talk about also affectDH, then I believe that the probable random number "a" and "b" could belimited to a much smaller group, and thus one could try to guess theshared session key "g exp(ab)" if the number of possibilities are smallenough to make an exhaustive search.

and the host/client keys are just used to verify the
authenticity of the server.

In other words, ssh sessions are not
compromised just because an adversary has the host keys (unless a MITM
is setup, in which case you need bot the host key and the authentication
key to perform a mitm attack).

I insisted on the case where *none* of the host key where vulnerable(my case on many systems), but one or two of the host involved used avulnerable openssl library. So, this is a different problem.

Generating good random number properly are difficult enough that Iwould expect them to came from the same function. I didn't have time tolook at the code, and I would be more than happy to be proven wrong.


Simon Valiquette

Reply to:

References:
- Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
  - From: Simon Valiquette <v.simon@ieee.org>
- Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
  - From: Micah Anderson <micah@riseup.net>

Prev by Date: Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator
Next by Date: Re: openssl / x509 certs
Previous by thread: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
Next by thread: Re: [SECURITY] [DSA 1571-1] vulnerability of past SSH/SSL sessions
Index(es):
- Date
- Thread